[rsbac] weird question...

Andrea Pasquinucci cesare at ucci.it
Wed Sep 7 10:59:08 CEST 2005 

Your proposal anyway leads to a race condition, between the 'close' and 
the 'attr_set_file_dir'.

Btw, I have another problem, I need to enforce locking for the process 
which creates the file. In practice I have one process (in a 
particular Role) creating/opening + writing + closing the file. I must 
assure that no other process running with the same Role can write in the 
file while the first is doing it. If I can impose this, that is the 
first process which creates the file keeps exclusive access to it until 
it closes it, then using OPEN_APPEND is ok.

Any suggestion of which is the best way of imposing the locking? 

According to the kernel Documentation/mandatory.txt if the filesystem is 
mounted  with -o mand, the group execute bit is off and the set-GID is 
on on the file, then fcntl can create a mandatory lock on the file. 
which leaves me with create the file, get the mandatory lock, check that 
the file is empty, write, close. 

Thanks, Andrea




On Tue, Sep 06, 2005 at 03:29:50PM +0200, Amon Ott wrote:
* On Dienstag 06 September 2005 15:18, Andrea Pasquinucci wrote:
* > I have various questions to ask in this and following messages. I 
* start 
* > from the most difficult. I would like to have a directory where:
* > 
* > - one particular Role can create files and write in them
* > - once created and written the first time, the file cannot be 
* modified
* >   by anyone
* > - the same Role is able to change the atime and mtime (and ctime) of 
* all 
* >   files in this directory
* 
* An idea:
* 
* For that role:
* - Set a def_fd_ind_create_type for the dir's type to be a type with 
* write access for the role
* - Allow to ASSIGN the final type (which noone has write rights to)
* - Allow MODIFY_ATTRIBUTE on the def_fd_ind_create_type 
* 
* Then just call
* "attr_set_file_dir FILE <filename> rc_type_fd <finaltype>"
* after closing.
* 
* Amon.
* -- 
* http://www.rsbac.org - GnuPG: 2048g/5DEAAA30 2002-10-22



-- 
--
Andrea Pasquinucci                     cesare at ucci.it
PGP key: http://www.ucci.it/ucci_pub_key.asc
fingerprint = 569B 37F6 45A4 1A17 E06F  CCBB CB51 2983 6494 0DA2
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://rsbac.dyndns.org/pipermail/rsbac/attachments/20050907/7e658ad4/attachment.bin

More information about the rsbac mailing list